Promoting a Culture of Data Privacy: How can your business join the data revolution?
The General Data Protection Regulation (GDPR) (EU 2016/679) governs how personal data is treated within the European Union and safeguards personal data being transferred in to or out of the EU.
Different considerations and varying legal regimes need to be taken into account, not least in light of Brexit. 136 countries now have their own versions of privacy laws and another 28 countries have privacy laws in draft. In this article we look at the global privacy revolution and the strengths of the GDPR that make it so influential around the world.
Principle based policies
One of the biggest strengths of the GDPR is that it doesn’t set out rigid, prescribed rules. Rather, it has principle-based regulations. Its aim is to connect local application with defined standards, and the result is guidance which can be used around the world. The GDPR principles are the basis of every privacy policy we read.
Generally, privacy policies are not tailored to where in the world we read them, rather, they are influenced by GDPR guidance. It is in any businesses best interest to get these adaptable principles right, since people can easily understand and relate to them.
The principles set out in the GDPR are generally accepted principles globally. It has prompted fundamental re-thinking for companies, and it has been taken seriously. We now see businesses seriously considering the accountability within their organisation, ensuring that roles of responsibility are defined.
A good example of this is the GDPR’s data minimisation principle. Before the GDPR, the idea of keeping as little data as possible was foreign especially in business and marketing sectors. Now, this is embedded into all good business models.
Data protection authorities can also be applauded for their forward-thinking approaches to the GDPR which has led to this potentially global application.
They look to learn from the companies that the rules affect, and ask the important question: who can learn from who?
A focus on overall data security
The principle-based guidance sees direct and clear steering from regulators coming from behind, and companies leading the way with their own practice.
This has led to data security now being one of key risks that organisations now take into account.
Data security and data privacy do not work in isolation: companies now use their data privacy policies, guided by the GDPR and pushed on by data protection authorities, to ensure data security and the overall integrity of their IT systems and data management programs.
Demonstrating compliance
The flexibility of the GDPR means that there are a great number of ways to demonstrate compliance and commitment to data security. Robust data protection works in a cycle: (i) having good systems in place demonstrates compliance, and (ii) demonstrating compliance requires you to have good systems in place. For example:
It is now commonplace, and indeed mandatory in some situations, to have a designated data protection officer (DPO). Even where the appointment of a DPO is not mandatory, many companies choose to appoint a specialist privacy counsel or a data protection manager whether as an internal member of staff or as an external advisor.
Companies are creating effective networks of data protection teams: here, is clear to see the advantage in having a DPO who can collaborate with these teams and exchange recommended approaches - especially when a business has a global focus - either with different entities established in several jurisdictions (inside and outside of the EEA) or simply with an international client-base or borderless services, such as web—based or internet solutions.
Businesses now endeavour to regularly review their policies and promote these policies through company-wide engagement, to demonstrate their compliance.
Ongoing review and monitoring of data protection issues that come up is now common, to set out red flags for future projects and enable risk management.
Annual management reports and reporting from DPOs feed into this oversight and give a good perspective on how a company should be run when it comes to privacy matters and exposure.
Creating a privacy culture?
Going forward, a company’s main goal should be to curate the privacy culture we are now living in. As a business owner, while this undoubtedly starts at the top, it is vital to continue it through the whole organisation. Here are our 4 top tips to use the GDPR’s strengths to ensure your competitive advantage:
Take it seriously. The biggest mistake that can often be seen is a company not taking its data security seriously enough. Prevention is always better than cure- don’t let something go wrong before you learn a lesson from it. Being proactive and following privacy principles will always be an advantage.
Organise. Good storage and information classification systems are vital to create an efficient organisation. The work required here is far outweighed by the possible costs associated with poor data security.
Adapt. Renew and grow the culture of your organisation so that it becomes privacy focused. In this way, your company can push forward the principles of the GDPR and shape our global privacy laws in the future.
Innovate! Our experience of data privacy shows us that there is no-one-size fits all solution. Your business is unique, and your culture of data privacy will be the same.
If you have any questions on how to tackle data privacy in your company, or if you have any other legal questions, please get in touch.
Article by Lily Morrison and Anders Molander Skavlan @ Gerrish Legal, January 2020